Tuesday, February 8, 2011

JUNOS Differences between a Policy-Based VPN vs. a Route-Based VPN

Summary:
The article briefly covers the differences between a Policy-Based VPN vs. a Route-Based VPN for JUNOS. In addition, it explains how to identify quickly which type is configured for an existing VPN.

Problem or Goal:
Which type VPN is configured,  Route-Based or Policy-Based?
When should I configure Route-Based or Policy-Based?

Solution:
This article applies to:
  • J Series devices running:
    • JUNOS 9.4 and above
    • JUNOS with Enhanced Services 8.5 through 9.3
  • SRX Series devices
Policy Based:
  • A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in a policy whose action includes Tunnel.  In Monitor > Security Policies, if the action includes both Permit and Tunnel then this is a Policy-Based VPN.  Entering the policy details will show if Pair Policy is configured.  If so then this indicates the policy is configured for a Bi-Directional Tunnel.
  • A Policy-Based VPN makes sense for situations where only a single host (running NetScreen-Remote) or one subnet or network needs to be accessible across the VPN.  If multiple subnets need to be accessible then a Route-Based VPN makes more sense.
  • For interoperability with certain third-party VPN devices which do not support the concept of route-based VPNs, a Policy-Based VPN is mandatory if routing to multiple networks across the tunnel.
  • A tunnel policy will always have an action of Permit and Tunnel.  A Deny action is not allowed.
Route Based:
  • A Route-Based VPN is a configuration in which the policy does not reference a specific IPSec VPN. Instead, a VPN tunnel is indirectly referenced by a route in which the next-hop points to a specific Secure Tunnel (st0) interface. The st0 interface is associated with a specific IPSec VPN through the Bind-Interface command in the [security ipsec vpn vpn-name] hierarchy.
  • The st0 interface can be numbered or unnumbered. If it is unnumbered, the st0 interface borrows the IP address from the security zone interface.
  • A tunnel is a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, JUNOS allows you the freedom to separate the regulation of traffic from the means of its delivery.
  • If the st0 interface does not need to support Policy-Based NAT, then the st0 interface can be specified as unnumbered. An unnumbered ST interface must still be bound to a security zone.  An egress interface must also be bound to the security zone whose IP address the unnumbered st0 interface borrows.
A Route-Based VPNs must include the following configuration information:
  • Secure Tunnel (st0) Interface
  • Phase I VPN Gateway configuration (listed under Configuration > Quick Configuration > VPN > IKE on J-Web)
  • Phase II VPN configuration (listed under Configuration > Quick Configuration > VPN > IPSec Autokey on J-Web); including:
    • Local and Remote Proxy ID 
    • IPSec configuration bound to st0 interface
  • Route for remote network pointing to the st0 interface for the next-hop
  • Policy specifying action of "Permit" to allow traffic, however an action of Deny is also allowed to block certain hosts.

No comments:

Post a Comment